BBC Controversy: Click Fraud?

I spend so much time on this blog, that I’ve been neglecting the other blogs I’m supposed to contribute to from time to time (including my own, though I’ve just started to put some papers up there – more about that later).

However, as the issue with the BBC’s possible breach of the UK’s Computer Misuse Act is probably of less interest to a predominantly US audience, I took this one to the Securiteam blog, which attracts a lot of Europeans.

The issue really revolves around the question of criminal intent. The BBC’s argument is that:

"If this exercise had been done with criminal intent it would be breaking the law.

But our purpose was to demonstrate botnets’ collective power when in the hands of criminals."

However, I would argue that mens rea ("guilty mind") is less about whether your intentions were good when you broke the law than it is about whether you knew you were breaking the law.

In this case, it sounds as if the BBC’s "Click" program bought a 22,000 PC botnet, used it to send quasi-spam to a couple of email accounts acquired specially for the job; then it was used to launch a DDoS (Distributed Denial of Service) attack against a server hosted by a security company (with the company’s prior agreement); then Click changed the wallpaper on the desktops of the compromised PCs to let the owners know they’d been recruited into a botnet, and finally broke up the botnet.

Well-intended, I’m sure. Sensational(ist), perhaps. Effective in raising public awareness, hopefully. But it sounds to me a lot like conscious exploitation of unauthorised access and unauthorised modification: exactly the issues around which the Computer Misuse Act revolves.